Emergency Update Notification for WordPress 2.1+

If you updated WordPress in the past few days, download the new version and update it again. Someone was able to break in and malicious code was added to the download. The new version is WordPress 2.1.2.

2.1.1 hasn’t been out much longer than ‘a few days’ anyway (about a week and a half), and since we don’t know exactly when the server was cracked I personally would feel safer updating ALL 2.1.1 installs. If I didn’t happen to be sticking to the 2.0 branch, that is 🙂

If you have only upgraded to WordPress 2.1, this does not apply to you. If you upgraded immediately after WordPress 2.1.1 was released, you should be okay. This appears to apply only to downloads within the last three or four days.

Actually, this is a mandatory upgrade for all 2.1.x users. Obviously the most egregious security hole is the one introduced by the cracker (which, as you note, only applies to people who downloaded within the past few days), but there is another security hole fixed by 2.1.2 (XSS vulnerability, publicly known). And 2.1.1 fixed vulnerabilities in 2.1, so you have several reasons to upgrade from 2.1 to 2.1.2

I upgraded to 2.1.1 the other day, then noticed a lot of, um, bad links in my content that had been installed via cross-site scripting. I have extensive mods in the code, so upgrading is a major pain. Therefore, I only upgraded the files that were changed from 2.1.0 to 2.1.1, using the changefiles Lorelle mentioned in an earlier post. This includes wp-admin/post.php which is what that girl again mentions above in the comments.

As pointed out on the WordPress development blog, a cracker gained access to the wordpress.org servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!
It ma…